Getting Ready for Apple Fall 2021 Releases - VMware Workspace ONE UEM - VMware Docs
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Getting Ready for Apple Fall 2021 Releases VMware Workspace ONE UEM
Getting Ready for Apple Fall 2021 Releases
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
©
Copyright 2021 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 2Contents
1 Getting Ready for Apple Fall 2021 Releases 4
Profiles with Two or More of the Same Payload Type 4
Workaround 5
Patched Versions 5
Declarative Device Management 5
What is DDM? 5
What isn't DDM? 7
How will DDM impact my deployment day 1? 8
How can I trial DDM in my Workspace ONE environment? 8
ABM/ASM Apps & Books Improvements 8
How will these changes impact my organization? 8
Account driven User Enrollment in iOS 15 9
How will this impact my current User Enrolled devices? 11
Will the previous User Enrollment method released in iOS 13 still work? 11
Is there any difference between devices enrolled with the original vs account driven method?
11
How can I see and adopt the new account driven User Enrollment? 11
iOS 15 11
Required App 11
Profiles 12
Commands 12
macOS Monterey 12.0 13
Profiles 13
Commands 13
tvOS 15 14
Resources 14
VMware, Inc. 3Getting Ready for Apple Fall 2021 Releases 1 Once again, Apple virtualized its Worldwide Developer Conference (WWDC) and announced the fall release of iOS/iPadOS 15, macOS Monterey (12.0), and tvOS 15. This document will be your guide to all of the updates and any preparations to make for your organization's Workspace ONE environment. The anticipated release timeline for these updates is likely similar to past years. This means it is reasonable to expect a mid to late September release for iOS/iPadOS 15 and tvOS 15, with macOS Monterey following shortly after in late September or early October. All of Apple's WWDC sessions for this information are available at the Apple developer website and anyone with a valid Managed Apple ID can access Appleseed for IT which contains testing instructions and release notes for all new operating systems. This chapter includes the following topics: n Profiles with Two or More of the Same Payload Type n Declarative Device Management n ABM/ASM Apps & Books Improvements n Account driven User Enrollment in iOS 15 n iOS 15 n macOS Monterey 12.0 n tvOS 15 n Resources Profiles with Two or More of the Same Payload Type Starting in iOS 14.5, Apple made a change to prevent installation of profiles if they contained two or more specific payloads (e.g. Exchange) with the same payload ID. In iOS 15 and macOS Monterey, this has been extended to all payload types. The Workspace ONE team is working on a patch for all supported versions of Workspace ONE UEM to avoid any adverse effects. This should not impact any profiles with multiple payloads as long as the payloads are of different types (e.g. Wi-Fi and Certificate). VMware, Inc. 4
Getting Ready for Apple Fall 2021 Releases Any profiles already installed on devices will continue to work even after updating to iOS 15. This change only affects the installation of new profiles. Workaround The current workaround is to only deploy one of particular payload type per profile. This means that if a profile has two of the same payload type, they should be broken out into two profiles. Patched Versions UEM Version Patch Version 2005 20.5.0.52 2006 20.6.0.21 2007 20.7.0.16 2008 20.8.0.34 2010 20.10.0.20 2011 20.11.0.32 2101 21.1.0.19 2102 21.2.0.16 2105 All versions 2107 All versions Declarative Device Management Declarative device management (DDM) will be the new way to deploy and manage Apple devices going forward. Starting with the fall 2021 OS releases, devices can be managed using the existing "imperative" management model or the new "declarative" management model. DDM will contain several improvements to the current management process. It is important to note that DDM will only be available for User Enrolled devices in iOS 15 and macOS Monterey, but this will likely be expanded to other ownership modes in the future. There will also be a dedicated Declarative Device Management knowledge base page that will be the hub for all dates, discoveries, and announcements that extend past the Fall 2021 releases. We will update this page with the link when it is available. What is DDM? Through its declarative nature, DDM allows the on-device MDM client to perform asynchronous actions to apply settings, install resources, and report status to the MDM server (Workspace ONE UEM). This is different than the current management model where all actions and settings are driven by Workspace ONE UEM issuing commands during a device check-in. VMware, Inc. 5
Getting Ready for Apple Fall 2021 Releases
All settings, apps, restrictions, updates, samples, and other MDM objects will still be admin
created and "assigned" to Apple devices. However, Workspace ONE UEM will no longer be
required to perform a set to ordered commands to achieve desired goals. This reduces the
number of required commands for improved performance and reliability.
DDM will contain a few new objects that will allow admins to take advantage of the new
protocol's behavior. Those new components are declarations, statuses, and extensibility. While
Apple's developer session and VMware's EUC blog post will contain more information on these
details, below is a summary of these objects and their correlation to MDM.
n Declarations
n Declarations take the form of 4 types: Configurations, Assets, Activations, and
Management.
n Configurations are similar to Profiles in Workspace ONE UEM. They configure things like
email, settings, and restrictions.
n Assets contain reference data such as the user's identity. Configurations can reference
assets. This means that if an asset needs to be updated, it will automatically update all
associated configurations.
n Activations are collections of configurations that can be given pre-requisites to be
installed. For example, an activation can be made to only install a certain restriction if the
device type is iPad.
n Management declarations contain general information such as organization details and
access rights.
n Statuses
n Device will report statuses to Workspace ONE automatically on change in status
n For example, if a device updates to a new version of iOS or an app is deleted, this
information is automatically sent to Workspace ONE rather than waiting on the server to
query the device.
n MDM servers must subscribe to this channel and have appropriate permissions.
n Extensibility
n MDM server and devices can report their supported functionality.
n This will allow MDM servers to handle which actions to take on which devices regardless
of hardware, software, or Workspace ONE version.
See the below example for installing an application.
Current:
VMware, Inc. 6Getting Ready for Apple Fall 2021 Releases Declarative (New!): What isn't DDM? The most important detail of DDM is that it is not replacing the current management model. Both the existing, "imperative" model and DDM are built on the same MDM framework, and both will continue to be supported by both Apple and Workspace ONE for the foreseeable future. Enrolled devices will not need to be re-enrolled to continue using their current management, and all existing management functionality will remain unchanged. VMware, Inc. 7
Getting Ready for Apple Fall 2021 Releases How will DDM impact my deployment day 1? There should be zero impact to any currently enrolled devices or new iOS 15 or macOS Monterey enrollments. Existing apps, profiles, updates, and other management objects will continue to function normally. How can I trial DDM in my Workspace ONE environment? The Workspace ONE team is hard at work to explore and implement the new DDM APIs into Workspace ONE UEM. This solution will likely be a multi-phase project taking place over many months of effort. Any released solutions will be made available first on our SaaS UAT tenants and published in our release notes and dedicated DDM knowledge base. ABM/ASM Apps & Books Improvements In their Improve MDM assignment of Apps and Books session, Apple announced a new set of APIs to allow MDM providers to deploy apps and books in a more efficient and scalable manner. Similar to declarative management, we encourage those interested in learning more to watch the session on Apple's developer site. These new APIs remove the need for Workspace ONE UEM to directly manage license IDs and register users/devices with multiple requests. The new set of endpoints is centralized around real-time notifications for state changes of assets (apps & books), assignments, and registered users. Today, Workspace ONE UEM is required to constantly request any new license data from Apple's system and update our records. With the new real-time notifications, Workspace ONE UEM is able to subscribe to various events and react to their success or failure more intelligently. If an app or book's licenses are purchased, transferred or deleted, Apple's system will notify Workspace ONE UEM that this change occurred. This removes any need to query for these changes on a scheduled cadence which improves accuracy and performance of the overall system. When associating licenses to devices or users, this process can fail or take several seconds to minutes to complete. This time is compounded if more than one license is associated to one or more device/user. This leads to delays or failures installing apps or arbitrary workarounds to avoid this error occurring. With real-time notifications, Workspace ONE UEM is notified upon the success of a license association. This means all app or book installations only take place when this association is successful thus reducing errors or unexpected delays. How will these changes impact my organization? The currently available APIs will remain functional for the foreseeable future so there should be no impact to existing or new deployments. The Workspace ONE team is hard at work to digest and integrate with the newly available APIs. Any changes made as part of this integration should not require any admin action or loss of functionality. VMware, Inc. 8
Getting Ready for Apple Fall 2021 Releases Account driven User Enrollment in iOS 15 User Enrollment was released in iOS 13 for BYOD devices to separate personal and work data on Apple devices using an enterprise identity called a Managed Apple ID. This process was driven by the MDM server sending an MDM profile to the device containing the Managed Apple ID of the user. The presence of this ID instructed the device to conduct a User Enrollment as opposed to the typical Device Enrollment. With iOS 15 and iPadOS 15, Apple has added a new location for VPN and MDM configurations in Settings > General > VPN & Device Management. User Enrollment can be initiated on this page with the new "Sign In to Work or School Account". When the user inputs their Managed Apple ID, the OS takes the domain portion of the ID and derives a URL to kick off the enrollment process. For example, if the user input jdoe@worldwideenterprises.com, the device would reach out to a worldwideenterprises.com discovery server that would direct the device to its MDM server. VMware, Inc. 9
Getting Ready for Apple Fall 2021 Releases VMware, Inc. 10
Getting Ready for Apple Fall 2021 Releases
Check out more specifics on this in Apple's WWDC 2021 session.
How will this impact my current User Enrolled devices?
Any devices already user enrolled will continue to function as normal with no admin interaction.
Will the previous User Enrollment method released in iOS 13 still
work?
Yes. The previous method of User Enrollment will remain unchanged and can continue to be
leveraged.
Is there any difference between devices enrolled with the original vs
account driven method?
From a management perspective, there are no major differences between devices enrolled with
either method once the device is enrolled. The only difference observed is the opportunity for
ongoing authentication if the device is enrolled using the new account driven approach. This
method allows the MDM server to check for authentication and re-authenticate whenever
needed for added security.
How can I see and adopt the new account driven User Enrollment?
The Workspace ONE team is actively working to support the latest changes in User Enrollment in
our SaaS UAT tenants. Per Apple's announcement, it appears a discovery server for each
Managed Apple ID domain is required. This likely means that each organization will need to host a
discovery server of their own to direct devices to their Workspace ONE enrollment server.
iOS 15
There were several updates for iOS/iPadOS 15 specifically. They are detailed below.
Required App
In iOS 15, Workspace ONE has the option to declare a single application in the MDM profile as
"required". This allows the declared app to always install silently as if the device were supervised.
Any other app will continue to prompt the user to confirm the installation. Supervised devices will
still suppress installation prompts for all applications and thus do not benefit from this capability.
The default application for this setting will be the Intelligent Hub app starting in a future
release of Workspace ONE UEM. This means any device enrolling after this release and
assigned the Intelligent Hub will silently install the Intelligent Hub instead of prompting
for users.
VMware, Inc. 11Getting Ready for Apple Fall 2021 Releases
Profiles
Payload Key Description XML Support
Restriction Require managed If true, copy and paste functionality respects the Link ---
pasteboard managed open-in restrictions.
Restriction Force on device only If true, the device won't connect to Siri servers for the Link ---
translation purposes of translation. Available in iOS 15 and later.
Restriction Force on device only If true, disables connections to Siri servers for the Link ---
dictation purposes of dictation. Available in iOS 14.5 and later.
Restriction Allow unpaired external If true, allows devices to be booted into recovery by an Link ---
boot to recovery unpaired device. Requires a supervised device. Available
in iOS 14.5 and later.
Restriction Allow Near-field Users can't use built-in NFC hardware in compatible Link ---
communications (NFC) devices running iOS 14.2 or later.
Restriction Allow auto unlock With watchOS 7.4, users can't use their Apple Watch to Link ---
unlock their paired iPhone running iOS 14.5. Available in
iOS 14.5 or later.
Setup Skip unlock with Apple This skips the screen related to unlocking the device with Link ---
Assistant Watch the Apple Watch.
Setup Skip Accessibility This skips the screen related to Accessibility. Link ---
Assistant
Certificate Certificate revocation Use the Certificates Revocation payload to revoke Link ---
Revocation certificates on an iPhone or iPad. For example, an MDM
administrator can create a list of certificates for
revocation. Specifying a certificate authority (CA)
enables revocation checking for all certificates chaining
up to that CA. Available for iOS 14.2 and later.
TV Remote TV Device Name Admins can provide a list of Apple TV device names be Link ---
used to remove Apple TV device names in the remote
widget. Available for iOS 15 and later.
Commands
Module Command Description XML Support
Software Recommendation Admins can provide users the option to update to iOS 15 or Link ---
update cadence iPadOS 15 (the next latest major version), or to continue to
settings update to newer versions of iOS 14 and iPadOS 14, even after iOS
15 and iPadOS 15 are released.2: It will show the update path for
the operating system with highest version number.1: It will show
the software update with the lower version number, if
available.0: It will show both options (the default).
Shared Temporary session If true, the user only sees the Guest Welcome pane and can only Link ---
device only log in as a guest user.If false, the user can sign in with a managed
settings Apple ID (the existing behavior). This is available in iOS 14.5 and
later and must be applied before users log in to the device.
VMware, Inc. 12Getting Ready for Apple Fall 2021 Releases
Module Command Description XML Support
Shared Temporary session The timeout, in seconds, for the temporary session. The Link ---
device timeout temporary session logs out automatically after the specified
settings period of inactivity. The minimum value is 30 seconds. Setting
this value to 0 removes the timeout. This is available in iOS 14.5
and later and must be applied before users log in to the device.
Shared User session The timeout, in seconds, for the user session. The user session Link ---
device timeout logs out automatically after the specified period of inactivity. The
settings minimum value is 30 seconds. Setting this value to 0 removes the
timeout. This is available in iOS 14.5 and later and must be applied
before users log in to the device.
macOS Monterey 12.0
There were several updates for macOS Monterey 12.0 specifically.
Profiles
Payload Key Description XML Support
Restriction Enforce a major macOS Defer major macOS updates, such as macOS 12 for Link ---
software update delay a period of time.
Restriction Enforce a minor macOS Defer minor macOS updates, such as macOS 11.5 for Link ---
software update delay a period of time.
Restriction Enforce a non-macOS Defer a non-macOS software update delay, such as Link ---
software update delay a supplemental update to be installed.
Restriction Allow erase all content and Prevent users from using Erase All Content and Link ---
settings Settings on their Mac.
Setup Assistant Skip unlock with Apple This skips the screen related to unlocking the device Link ---
Watch with the Apple Watch.
Kernel Allow non admin user Allow users who aren't local administrators to Link ---
Extensions approvals approve kernel extensions.
Commands
Module Command Description XML Support
Restart Notify user If true, notifies the user to restart the device at their Link ---
convenience. No forced restart occurs unless the device is at
login window with no logged-in users. The user can dismiss the
notification and ignore the request. No further notifications
display unless you resend the command. This value is available
in macOS 11.3 and later.
Restart Rebuild Kernel If true, the system rebuilds the kernel cache during a device Link ---
cache restart. This value is available in macOS 11 and later.
Recovery Lock Set Recovery Set the recoveryOS password. Available in macOS 12.0 and Link ---
Lock later.
VMware, Inc. 13Getting Ready for Apple Fall 2021 Releases
Module Command Description XML Support
Recovery Lock Verify Recovery Verify whether a recoveryOS password has been set. Available Link ---
Lock in macOS 12.0 and later.
Device Is Apple Silicon Query whether the device is a Mac with Apple silicon. Available Link ---
Information in macOS 12.0 and later.
Device Can install iOS Install iPhone and iPad apps on a Mac with Apple Silicon from Link ---
Information apps Apps and Books in Apple School Manager and Apple Business
Manager. Available in macOS 11.3 and later.
OS Updates Max user Specify the maximum number of deferrals, after which a forced Link ---
deferrals update will occur.
tvOS 15
The only change to tvOS 15 is that Apple TVs will no longer broadcast their MAC address.
Resources
WWDC 2021 Videos
n What's new in managing Apple devices
n Meet declarative device management
n Discover account-driven User Enrollment
n Improve MDM assignment of Apps and Books
n Manage software updates in your organization
VMware EUC Blog
n Link
VMware, Inc. 14You can also read
